Posted
by
Unknown Lameron Wednesday December 04, 2013 @11:49AM
from the are-you-serious dept.

jfruh writes "One of the most potent aspects of Anonymous is, well, its anonymity — but that isn't absolute. Eric Rosol was caught by federal authorities participating in a DDoS attack on a company owned by Koch Industry; for knocking a website offline for 15 minutes, Rosol got two years of probation and had to pay $183,000 in restitution (the amount Koch paid to a security consultant to protect its website ater the attack)."
The worst part? From the article: "Eric J. Rosol, 38, is said to have admitted that on Feb. 28, 2011, he took part in a denial of service attack for about a minute on a Web page of Koch Industries..."

Where's the "Like" button?
There's just something egregiously wrong when you can be fined $183,000 and get two years probation for something like participating in a short-lived denial of service attack. That's a wildly disproportionate punishment!

I wonder how long it will be before a company attempts to make a DoS case against someone for visiting a site once. I could see the prosecutor in the Aaron Swartz case trying this. He was conducting a denial of service attack simply by visiting the download site for those academic journal articles. It just wasn't a very good DoS attack.

That's not justice at all, like the other one said. If police are too incompetent, or it is unfeasible to catch most people who commit a certain crime, they can't (or rather, shouldn't) punish those they do catch much more severely simply because they can't catch other people who commit said crime. Justice > security.

I view a 1 minute DoS attack as roughly akin to orchestrating one minute of blocking the entrance to a store (or maybe multiple stores). Such an act, while punishable by a trespassing fine, probably on the order of $100-$500, the "online" equivalent of $183,000 and two years probation does not match the act, especially when he was one of only several thousand people doing the same thing.

There are a few countries in the 1960s and 1970s that adopted the policy that there is no social justification for "making an example" of someone, and that the purpose of the justice system is rehabilitation and fair application of rules, rather than vindictive retribution, catharsis for victims, or the attempt to squash crime through draconian punishments.

Those countries (Norway, Denmark, Korea, New Zealand) stand in contrast to those countries who adopted a policy of "tough on crime" during the same period (the US, Britain, France). Looking back, the crime rates in these countries diverged, and today we find those countries with liberal justice systems having seen their crime rate drop much faster than those with draconian justice policy.

Sure, this is anecdote, but I don't buy vengance or harsh deterrence as justified reasons for rolling out the stocks on the few people who are caught at a relatively rare crime.

Well, there's one DDOS attack that's perfectly legal. Boycott Koch Industries and all their products. Of course it'd take some hunting to find out just what Koch does besides drill for oil, foul the environment and inject tons of money to corrupt the political system to their ends.

They refer to it most of the time as 'the legal system' versus the 'justice system'.Justice system is most often a misnomer. We can rarely provide any worthwhile justice. We can, however, enforce a code of laws.

I think the penalty here is vastly disproportionate. On the other hand, I do think the guy knowingly broke the law and should have suffered a penalty. Probation for two years seems reasonable. The fine should have been more in the $5-10K range as a 'hurts but won't kill you' fine. It has to be bad en

1. People are bad at estimating probabilities, so low probs get rounded to zero.

2. People don't like to think bad things, so the more severe the punishment, the less likely the potential criminal is to imagine it being applied to him - robbing it of much or all of its power.

3. If you are hated, for example because you are perceived to be an unjust tyrant who hands over disproportionate punishments to compensate for incompetent police, the Benefit will go up, since people want to oppose you.

Even ancient Rome, where conservatives demanded criminals be crucified and bleeding-heart liberals merely fed them to lions, never ran out of them.

Another way this is misleading is that the lifetime of debt slavery - what the $183,000 amounts to - is not considered the punishment. 2 years probation is the punishment; $183,000 is "damages". Thus what we have here is an example of a rather nasty loophole in the law, where the main part of a punishment is not subject to normal lawmaking process but is rather ordered by the judge on a case-by-case basis. This leads to exactly this kind of perversions.

Compare: if my dog took a dumb in your lawn, would I be quilty and should I clean it up? Absolutely. If you then spent $183,000 to dog-proof your yard, should I pay for it? Of course not, that's crazy. Except that's exactly what happend here.

When you have lots of cash at your disposal, lobbyists on your payroll, and congressmen in your pocket, all things are legally possible. Even if you used an automated tool. We should use this man as our rallying cry to attack Koch Industries again. Also educate people on how to create civil disobedience and not get caught.

Then you are missing the point of civil disobedience. You are supposed to get caught, especially in places like the US where LEOs like to have a bit of theatricality in perp-walking someone out to the squad car. You want all the attention you can get, that's the point, you are calling attention to something you believe to be wrong.

How do you make that comparison? Just a few months ago JP Morgan was fined $14Billion by US and UK regulators for its involvement in various dealings leading up to the crash. So far, nearly $100Billion in fines has been handed out across the US and EU for suspect deals that contributed to the financial climate prior to the crash.

$100 Billion may sound like a lot to you but that doesn't mean it's meaningful in regards to the actual damages done. More often than not when massive horrible things are done by Corporations (the crash of the financial/real estate markets, the Gulf oil spill, etc.) large corps get hit with penalties that look massive to an individual but actually only represent a small part of the true cost of restitution and only represent a day or two of operating profits at most for the company.

What happened in the story is so astonishingly unjustly inverted from that scenario because, in contrast, this guy was hit with the entire cost of the damages (even though he was only a tiny contributor to the actual crime, and that penalty probably represents many years worth of profits for him (minus the basic costs of living and taxes). It would be like fining JP Morgan all the Trillions of dollars that were estimated to have been lost throughout the economy because the courts didn't feel that they were likely to be able to clearly identify any of the other big players in the crime. Then, for good measure, make it so that the costs of litigating appeals of that verdict would be so expensive that it was guaranteed to drive the company into complete bankrupts (since even if this guy has a decent job and was able to afford a non-state appointed attorney for this trial it's unlikely he'll be able to hire a highly competent set of lawyers throughout the entire appeals process in the same way major companies to in order to successfully drive down the original, already too small, fines they are hit with).

It's 100billion more then Freddy of Fanny will pay. You know the government chartered non-profits run by former executive branch big wigs that started the whole mess by buying crap mortgages in a misguided effort to engineer society? Freddy and Fanny.

Don't forget this part: the amount Koch paid to a security consultant to protect its website ater the attack

So if I have no locks on my door, and someone comes in, they need to pay for the locks I decide maybe I should have had on my door?

That's not how computer security works though. This was a DDoS attack. It's more like having a decent lock on your door, but then someone uses a battering ram so you spring for a steel-reinforced door instead.

First of all, the settlement, as the folks at Better Markets have pointed out, may wipe out between $100 billion and $200 billion in potential liability -- meaning that the bank might just have settled "for ten cents or so on the dollar."...

Moreover, the settlement is only $9 billion in cash, with $4 billion earmarked for "mortgage relief." Again, as Better Markets noted, we've seen settlements with orders of mortgage relief before, and banks seem to have many canny ways of getting out of the spirit of these requirements....

There's also the matter of the remaining $9 billion in fines being tax deductible (meaning we're subsidizing the settlement), and the fact that Chase is reportedly trying to get the FDIC to assume some of Washington Mutual's liability.

But overall, the key to this whole thing is that the punishment is just money, and not a crippling amount, and not from any individual's pocket, either. In fact, the deal that has just been completed between Chase and the state represents the end, or near the end, of a long process by which people who committed essentially the same crimes as Bernie Madoff will walk away without paying any individual penalty....

A few more notes on the deal. This latest settlement reportedly came about when CEO Jamie Dimon picked up the phone and called a high-ranking lieutenant of Attorney General Holder, who was about to hold a press conference announcing civil charges against the bank. The Justice Department meekly took the call, canceled the presser, and worked out this hideous deal, instead of doing the right thing and blowing off the self-important Wall Street hotshot long used to resolving meddlesome issues with the gift of his personal attention.

Why is someone who uses legal tax exemptions the one to blame? How about the congresspukes who add 4,000 pages of exemptions, credits and penalties to the tax code every year?

Taxes are not merely intended to take in revenue. You don't need 80,000 pages to do that. The principal purpose of the tax code is to control, or at least influence "behavior". And we all know what the IRS is for.

- how many others participated in this DDOS? divide by that number
- how long were other machines involved in this? divide by that time
- how fast was his internet connection in comparison to the others? divide by that

He admitted to guilt, but it's not fair to hold him completely financially responsible simply because he was the only person they were able to catch and was honest enough to confess.

Actually they do. Had a meth head that kept breaking into my fathers garage and stealing tools to pawn. Installed some cameras and actually caught some kid about 15 or so doing it. The judge orderd him to pay for the cameras plus all the tools stolen over the 5 or 6 break ins. We sued his parents and got a judgement for $15k in all.this was around 2000 or so. It covered the instalation of the security system, cameras, and time taken off work to rush homr and see what was stolen this time.

The problem with your analogy is that in the case of murder, if a second person gets caught, he'll face murder charges too. There is no restitution - it's punitive.

But in this case, where the only person who got caught was faced with the entire charge, a second person who gets caught won't have to pay anything because it's already paid. It destroys equality in front of the law.

Either that, or you make the second person pay the same amount, and then you have a victim or court system that profits from him being caught. Which both are even worse alternatives.

The damage he should pay is what damage he caused. Nothing more, nothing less.

No, it should be higher than that--you have to multiply it enough that it discourages the behavior. That's how legal penalties work, even in a consequentialist rather than retributivist model. That means you have to take into account the probability of getting caught, which is low.

A salient example of s/sheep/lamb/ is the drug war which has become ever more violent over time as penalties for getting caught become ever more draconian. If you're going to do a life (or close to it) sentence for getting caught, might as well just kill the person trying to catch you or witnessing what you are doing, and improve your chance of remaining free.

Except that wasn't a fine it was a retribution payment. He is being made to pay for 100% of the damages though he probably represented less than a small fraction of a single percentage of the attack. So what happens if they manage to find another one of the perpetrators, does that person get off without any financial penalties because the retribution has already been allocated to another?

So the best way to discourage a DDoS is to say that the more people you involve in the DDoS, the less punishment you should receive for getting caught?

I can't think of a better way to encourage DDoS participation to be honest.

I don't know about anybody else, but I think a DDoS is a form of censorship. A website provides information, effectively making it speech. Even if it is speech you disagree with, you should let it be. Personally, I hate communism more than just about anything, but I wouldn't ever encou

I don't know why you were modded down. In my home town, as a prank arouns graduation, the seniors would dump liquid soap in a fountain so it would bubble all over the place. It was visible on the main drag. Another aspect was putting that art celulous over the lights illuminating it to match the school colors (blue and gold). It took about 50 graduates in order to do it without getting picked up by the cameras. One year, they put sensors in the foutain that went off when the soap changed the ph levels enough alerting the city to what was happening. Out of about 100 students that participated 6 where caught- 4 who hadn't even dumped the soap yet and they had to pay for the entiee security theator that ensued for a midemeanor act of mischief. The sad part is that this had happened for so long, everyone thought the city was in on it and we just needed to watch out for the caretaker who would be upset because he had to clean it later.

I learned then that you aren't 2% guilty. If you participate, you are 100% liable and that liability includes what they spent in response to your actions. This was back in the late 80s early 90s. Nothing new with this kid outside of what was vandalized.

Fluffy did have a good point. If you participate in a criminal action - then you are potentially on the line for the whole kit and kaboodle.
Running a red light is not even the same sport. I wont get a ticket if I am a passenger in the car that runs a red light, but I sure as shit would if I was driving my car and ran the light along with a long string of others.
Now - should Rosol have to pay for the bug fix? Hell no - thats like having a criminal pay for a new type of lock because they picked the oth

The problem with that is they wouldn't ticket you for every car that ran the redlight, only yours. However, you might be on the hook for something like conspiracy to run red lights (it's an imperfect analogy).

These people need to learn what actual violence against them and their property is

Then you get to learn what ACTUAL violence is, either buy police officer or prison inmate.

Let me know when you want off the not-so-merry-go-round.

If your entire life is going to be ruined for any sort of protest, the natural incentive is to go...

Except that property damage is not protest.

Actions that will ruin my entire life do not "incent" me to act worse, they in fact very much incent me not to ruin my life. It is possible to protest without damaging anyone or anything, a fact that seems lost on many groups these days.

Then you get to learn what ACTUAL violence is, either buy police officer or prison inmate.

His point is that this fellow is learning what ACTUAL violence is, by police officer and prison inmate, for doing nothing more than sending TCP packets.

Except that property damage is not protest.

Two things: A DDOS is not property damage. And are you claiming the Boston Tea Party [wikipedia.org] was not a protest?

It is possible to protest without damaging anyone or anything

It's not possible to effectively protest anything in todays America. You can have your say all you want inside free speech zones, but you'll never be heard. What good is a phone call if you are unable to speak?

Notice that in both Colorado and Washington these measures were approved by the popular vote, not by legislators.

Stopping anti-union legislation in a few states.

Which states? Didn't help in Michigan or Wisconsin.

An effective protest is one where your opinions are heard and considered fairly

And that happens extremely rarely in the US. Marriage equality is one example, but a fairly trivial one. No one in power stands to gain or lose much when marriage equality is enacted. Try getting your voice heard when those in power are profiting off of the bad policy you are protesting. The overwhelming majority of issues are impossible for the public to affect because of such conflicts of interest.

Are you making a sarcastic point about disproportionate punishment and there being no difference between vigilante and misrepresentation of 'IN the best interests of the people' regarding corporate corruption of the courts / private companies acting as courts?

Doesn't matter if it was for one minute, one hour or one day. You did the crime, you do the crime. If you rape a woman for one minute, you get sentenced for the same as if you raped her for ten minutes.

This is a stupid and dumb angle to take slashdot. You should be utterly and completely ashamed to even articulate this.

This is ridiculous. He didn't rape anyone. He didn't hurt anyone. He rapidly requested web pages for 1 minute, slightly contributing to a computer bogging down. In a less batshit-crazy, less rabidly corporatist world, this would carry a punishment on par with dropping a cigarette butt on the street.

Then wasn't his real crime admitting to being involved? After all, until that point, it could have been someone else using his internet, or spoofing his IP, or that his computer had been compromised and made part of a botnet, etc. And it would seem obvious that the effect on the site would have been no different had he done nothing whatsoever.

Knowingly trying to bring down web sites is a crime. Should we also not arrest people if they only throw one brick through a store window but do not take anything? Should we also not arrest people who kick someone only once when lying on the ground?

A crime is a crime, and the act of committing a crime takes only the moment you decide you are going to commit it. The duration of the actual crime hardly matters when compared to intent.

Also, consider the fact that the minute is only the point they could prove what he did, if he was willing to aid in DDOS attacks who knows how many other people he helped attack in the past?

Yes, we should arrest people that throw a brick through a window.
But we should fine them the price of the window, not the price of hiring an elite security team to protect the window from future brick attacks.

So every time I break a window, the worse thing that can happen, in the very unlikely event that I get caught, is that I pay to replace the window? Hell, even if you tack on 300% punitive damage, the odds of me getting caught is so damn low, I probably can break the entire city's windows.

Since when I finally do get caught, they probably won't be able to prove it was me who did all the others (its not the most uncommon of crimes)... so I break 1000 windows, and, including punitive damage, I'm only on the hoo

First of all, you'll note I am mainly referring to the comment that the 'worst part" is that he only participated for a minute. You seem to be arguing the worst part is the fine.

I partly agree, however I would also say that computers allow us to magnify actions beyond what we can do physically - just as we can send a message to millions via computer, we can also easily do millions of dollars in damage via computer to. I can't say what the right fine would be but it's probably not proportional to what someone would think one persons fine should be...

Exactly. The price of fixing the window is the price the malcontent causes them. The extra security and upgrades to the window to deal with future bricks is.... their choice. I mean, if I destroy your dodge neon. Its perfectly fair to say I need to to pay you its replacement value; and probably more if it was malicious; Its replacement value is not the cost of the Ferrari you decided you wanted to upgrade to since you had to get a new car anyway.

Two things should happen when you toss a brick through a store window. First the owner or perhaps the state on the owners behalf should initiate a civil proceeding against you where minimally upon being found liable be compelled to pay the full replacement and installation costs of a new window. Additional you might reasonably be expected to compensate the owner for the temporary loss of use of his property while the windows is being repaired. You must compensate for the harm to the owners property.

Then a criminal charges should be brought against you because its not in societies interest to have people thinking they can go around and break windows. Given throwing bricks through plate glass in public places has a high probability of injuring others that penalty too should be not insignificant. When its all said and does committing a senseless destructive act of vandalism like that should set you back a few thousand dollars; in the interest of justice.

Now lets think about the DDOS attack. Its vandalism pretty similar; but unless you are DDOS a hospital, public utility, or some government sites and similar there is basically no probability of anyone getting hurt as a direct consequence. So if anything the harm is automatically much lower. Unlike the window your computer is still perfectly fine once the DDOS is over and done with. So we are really down to society wanting to discourage vandalism and the short term loss of the use of property. Seems to me the penalty might be tied to the revenue the site nominally generates during the period for the owners and a little wrist for society to remind you not to be a prick.

183K is way out of line for 60 of participation in a DDOS, even if your hitting a site like Amazon.

Yes, a crime is a crime, but if we are going to build analogies with real world crimes they should at least be correct.

Obviously many DDOS attacks are not carried out by volunteers. They are instead vast hijacked zombie farms under the control a few people. In those cases the term "attack" makes more sense. From my understanding this DDOS attack was carried out by volunteers though. It should really be considered a protest.

What if this guy was part of a real world flash mob that formed in front of a Koch's

But your honor, I only pulled the trigger for 1 second, 2 tops!
While the fine seems FREAKING large I can appreciate that it was tied directly too a purpose. i.e. the amount paid to hire someone to secure the site. But I feel attaching it to the actual value lost (5k) would have been more fair, maybe with a bit extra to be punitive?
I imagine that if they caught more people the fine would have been spread out among them?
But I don't understand why intent to do harm would in any way be lessened because "I only did the bad thing for a short period of time."

1. It is ineffective. The Koch brothers stance that there is some Liberal Conspiracy going on, hacking them and creating a DOS only proves their paranoia, and only makes them more resolved to continue.

2. It could hurt the wrong people. Are you hitting only their data center, or is that data center shared with other organizations as well. I had a job at a placed that hosted Electronic medical records. We had an external hosting site... They also hosted a big evil bank. They DOS the Bank but they also DOS thousands of doctors EMR systems. Granted we had a backup route, but that may not be the case.

3. You put your views on the moral low ground. Are your point so week and irrational that you need to jump into a technological bulling to get your point across.

I'm American, so I speak from experience. The US legal system allows punitive damages. Eric Rosol didn't have to actually go to jail - that was the fair part of the sentence. But US verdicts with insane monetary awards are not unusual. There's the infamous "McDonald's coffee" case which eventually got settled out of court for a never disclosed amount after a jury awarded what almost everybody in the US considered an unreasonable and probably insane amount of money in punitive damages. Jammie Thomas, the last person you'd ever want to fight the RIAA, has gotten a series of shocking judgements against her, far in excess of any real damage that was done by her. I served on a jury once that awarded punitive damages and they're meant to send a lesson to the guilty party and others (this part is key) that there are very real financial costs to certain actions. In this case, the message is clear that people should not do DOS activities or they too may be facing ruinous financial penalties. I haven't followed this case at all, so for all I know like Jammie Thomas, Rosol may be his own worst enemy and perhaps his demeanor in court led to this outcome. Juries really don't like arrogant defendants who insist that they did nothing wrong when the jury feels otherwise. I can tell you from experience that the vast majority of jurors are non-techies and some are actually tech hostile. These kinds of people also get easily swayed by prosecutor arguments that some great evil just happened that must be prevented in the future because they don't really understand what happened. Juries also sometimes get this subgroup of people (roughly 10% of the population by my estimation) who see the entire world in black and white and are obsessed with punishing rule breakers as they see them. These are the people who want draconian punishments for trivial offenses (ie. they'd support the death penalty for people who let a parking meter expire as "That will teach them not do that again!"). Sometimes on juries they are adamant that the "evil doer" has to get a very harsh sentence and if the other jurors really don't care, want to go home, and agree at least that the defendant really is guilty, the other jurors will just agree to large punitive damages so they can get on with their lives. It's difficult to get punitive damages reduced and there's no incentive in the US system for juries to really find a fair verdict. The system just wants them to all agree on the verdict and if 11 people give in to 1 stubborn crazy person, the US system accepts this as the cost for how the system works. The prevailing dogma that gets drilled into all law students and the American public in general is that the US jury system is the greatest of all possible systems and is the cornerstone of our democracy, so nobody on the legal side dares to question whether it really works as it is supposed to or not.

The length of time spent doing something illegal shouldn't absolve guilt that it was illegal in the first place. In my mind it's the same as the mob mentality that overtakes people during riots. Just because everyone else was looting more expensive goods doesn't excuse stealing something cheap.

And he wasn't just sending some traffic to a website. He was participating in a DDoS attack and full well knew what he was doing and what the group was trying to accomplish.